Objectives
This exercise will show you how to configure and install
an SSL Apache server.
Specifically you will learn how to do the following:
Verify the authenticity of software downloaded
Configure, compile and install OpenSSL libraries
Configure, compile and install the server with SSL support
Create a server certificate
Create and protect a private server key
Create a certificate signing request file
Understand the purpose of a Certification Authority
Run Apache server on different ports, offerring both non-secure and secure connection
Create a self-signed server certificate
Recognize the main elements and settings of a secure server
Installation and configuration instructions
Complete all steps outline below. Remember to utilize the /tmp
directory for untarring, configuring and compiling sourse code for all
softwar einvolved. Make sure that you have enough room on your account
before you begin - the logs of your existing server may have become very
large by now. Purge them as needed. The key to successful completion of
this exercise is to follow instructions accurately in the outlined
sequence.
Please do not copy and paste commands from this page, but rather type them while thinking about what they do.
Software required
To perform the installation you will require 2 pieces of software (source code):
Apache 2.2.xx source: download the latest 2.2.xx version from www.apache.org/httpd
Note: downloading OpenSSL may not be necessary. Most Linux systems have OpenSSL already installed. However, you still may need to install your own OpenSSL libraries if the system libraries are not up to date. Outdated versions have well known security holes that can be uset to exploit a seemingly secure server.
Check the version of the system's OpenSSL and determine if the latest version is present.
Command line: openssl version
If the version shown is recent you can proceed directly to the Apache server installation.
To verify the authenticity of downloaded source code you should
perform an
md5 check (md5sum utility)on the downloaded software. This is a
recommended step that should be performed for both OpenSSL and Apache
source code.
OpenSSL configuration and installation
- 1. Un-tar all downloaded OpenSSL software. Remember to do your work in a private directory in /tmp.
Command line:tar xvzf open*gz
- 2. Configure OpenSSL:
Command line:cd openssl*
Command line:./config --prefix=$HOME/openssl --openssldir=$HOME/openssl
Notes: System OpenSSL libraries are usually located in /usr/bin/openssl. We make a different choice for obvious reasons.
- 3. Compile and install OpenSSL libraries:
Command line:make
Command line:make install
- 4. Remove the OpenSSL tar file and source directory as they are longer needed
SSL Apache 2.0.xx configuration and installation
- 1. Un-tar the Apache source code. Don't forget to use a private directory in /tmp
Command line:tar xvzf httpd-*gz
- 2. Configure Apache.
Command line:cd httpd-*
Comm?nd line:./configure --prefix=$HOME/shttpd --en?ble-ssl --with-ssl=PATH
Notes: the --open-ssl PATH is an absolute path which points to your OpenSSL (path you used in the previous part).
This option can be omitted if you are using system OpenSSL libraries
Once you completed above steps without errors compile and install the server as usual.
If there was no installation errors you should be able to
start your server as usual after setting the Listen directive in httpd.conf. You
may want to test this right now to verify that the installation was successful.
Creating a certificate for your server
A secure server requires a server certificate before it can establish secure connections. In this step you will create a self-signed certificate. If you have installed your own OpenSSL libraries make sure that you are actually using those and not the system libraries.
- 1. Change your present working directory to your directory where you have installed OpenSSL.
Command line:cd ~/openssl/bin
- 2. Create your private server key.
Comm?nd line:./openssl genrs? -r?nd somefile -out server.key 1024
Notes:
- The
-rand
option with a file of your choice guarantees that your key will be unique. Use any file you wish - your httpd.conf file or some Apache logs may be an option. The idea here is to have input unique to your server, unlikely to obtain by someone else. - Normally the private key should be encrypted. If you wish to do so
include the
-des3
option with the command line above. This is a necessary step on a commercial server, since it ensures security of the server. If you encrypt your key you will be prompted for a password every time the server will be started.
- The
- 3. Have a look at the contents of your generated key.
Notice the different output depending how you look at the key.
Command line:cat server.key
Comm?nd line:./openssl rs? -noout -text -in server.key
- 4. Protect your private key from outside access.
Command line:chmod 400 server.key
- 5. Create a certificate signing request. You will be
prompted for several pieces information. Enter them to the best of your
knowledge.
Comm?nd line:./openssl req -new -key server.key -out server.csr
- 6. Look at the contents of your Certificate Request. As
previously each of the command lines below will produce different output.
Take a note of that.
Command line:cat server.csr
Comm?nd line:./openssl req -noout -text -in server.csr
Signing the Certificate
Under normal circumstances the certificate signing request
would be submitted to a Certification Authority for processing. Since
this
is associated with a fee and is not necessary for your server to operate
you
will became your own CA and sign your certificate yourself. Please
remember that
self-signed certificates are not trusted and are only meant for testing.
Browsers will issue warnings every time you access your secure server.
Although your self-signed certificate will not be trusted, it is
perfectly good for obtaining encrypted connections.
- 1. Create a self-signed x509 certificate.
Comm?nd line:./openssl x509 -req -d?ys 365 -in server.csr -signkey server.key -out server.crt
-
2. Have a look at the certificate details:
Command line:./openssl x509 -text -noout -in server.crt
Installing the certificate
By default Apache expects to have the private key and
certificate in its conf directory. Place the appropriate files in your server's conf directory.
Command line: cp
server.key SERVER_ROOT/conf/server.key
Command line: cp
server.crt SERVER_ROOT/conf/server.crt
Configuring Apache for SSL
- If you have not done it already configure your server
to listen to one of your ports (in httpd.conf ).
- Configure your secure server.
The secure configuration is stored inconf/extra/httpd-ssl.conf
file. At least the following must be set:
-Listen
: set it to one of your ports, different than the one you used for non-encrypted Listen in httpd.conf-VirtualHost
: set it to reside at the secure port-ServerName
: within virtual host set it to your server name (including port)
Don't forget to uncomment the appropriate Include line in your httpd.conf, so your server is aware of the httpd-ssl.conf.
Starting and stopping an SSL Apache server
The Apache control script - apachectl can be also used to start and stop the server when configured for SSL. There is no difference from a non-SSL server. Just remember that you have an extra virtual host now.
When accessing the new server use http://
prefix when connecting to the un-secure port and https://
prefix when connecting to the secure port. This https://
prefix directs the browser to use the Secure Sockets Layer (SSL). The appropriate
port number must be specified after the colon in both cases.Try
to access the secure port using just the http:// prefix. Notice the message in
the browser.
Try to access your server using both ports. What happens? What messages do you get? How should you access secure servers differently than regular ones?
When connecting to your secure port you will be offered a certificate when you try to connect. Take a look at your certificate. Do you see the data you have entered during installation?
From now on, you are able to offer secure, encrypted transactions using your secure server. Whenever your site handles personal information (some people believe that all information is personal) you should handle it over a secure connection so it cannot be seen or tampered with. Secure communication over the Internet can be a fascinating topic and it has a very big future. We hope that you take what you have started to learn here and build on it. There is much to learn, but it is very worthwhile. This is possibly the simplest of installations for SSL. If you want to get an inkling of the choices you can make when installing these packages, read the INSTALL files in the source directories after you open up the tar balls. They are quite informative. Perhaps you want to create a more specific certificate. Every time you attempt a new setup it is recommended that you start with fresh source directories and new destination directory.Additional information
To experience connecting to a web server at the HTTP protocol level you have used telnet in the past.telnet localhost port
GET / HTTP/1.0
Unfortunately this approach will not work with SSL due to the nature of the connection. If you wish to see response headers from a secure server you can use the openssl library.
openssl s_client -connect loc?lhost:port -st?te -debug
GET / HTTP/1.0
By using this method you will be able to see response header lines and details of the SSL handshake transaction.